Splunk Search

help me with field extraction

sravankaripe
Communicator

alt text

i want to convert it to

alt text

i want this fields

Average overtime
Max value overtime
min value overtime

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

your base search | rex field="ActualTime" "(?<sec>\d+) second (?<millisec>\d+) millisec (?<microsec>\d+) microsec (?<nanosec>\d+) nanosec" | eval ActualTime=round(sec+(millisec/1000)+(microsec/1000000)+(nanosec/1000000000),9) 

You can than add appropriate aggregation commands per your need. E.g.

your base search | rex field="ActualTime" "(?<sec>\d+) second (?<millisec>\d+) millisec (?<microsec>\d+) microsec (?<nanosec>\d+) nanosec" | eval ActualTime=round(sec+(millisec/1000)+(microsec/1000000)+(nanosec/1000000000),9) | stats avg(ActualTime) as "Average overtime" max(ActualTime) as "Max value overtime" min(ActualTime) as "min value overtime"

View solution in original post

somesoni2
Revered Legend

Give this a try

your base search | rex field="ActualTime" "(?<sec>\d+) second (?<millisec>\d+) millisec (?<microsec>\d+) microsec (?<nanosec>\d+) nanosec" | eval ActualTime=round(sec+(millisec/1000)+(microsec/1000000)+(nanosec/1000000000),9) 

You can than add appropriate aggregation commands per your need. E.g.

your base search | rex field="ActualTime" "(?<sec>\d+) second (?<millisec>\d+) millisec (?<microsec>\d+) microsec (?<nanosec>\d+) nanosec" | eval ActualTime=round(sec+(millisec/1000)+(microsec/1000000)+(nanosec/1000000000),9) | stats avg(ActualTime) as "Average overtime" max(ActualTime) as "Max value overtime" min(ActualTime) as "min value overtime"

sravankaripe
Communicator

| rex "ActualTime=\s(?[^|]*)\"" | rex field="ActualTime" "(?\d+) second (?\d+) millisec (?\d+) microsec (?\d+) nanosec" | eval ActualTime=round(sec+(millisec/1000)+(microsec/1000000)+(nanosec/1000000000),9)

it working for me thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi sravankaripe,
did you tried with the round function?

| eval ActualTime=round(ActualTime,0)

after you can calculate avg, max and min

| stats avg(ActualTime) AS avg max(ActualTime) AS max min(ActualTime) AS min 

Bye.
Giuseppe

0 Karma

sravankaripe
Communicator

In above img ActualTime i extracted through rex.
So, the result which you gave not working for me.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...